Blocking DDoS Archive

Telegram founder Pavel Durov has suggested that the Chinese government may have been behind a recent DDoS attack on the encrypted messaging service. Writing on Twitter, the founder called it a “state actor-sized DDoS” which came mainly from IP addresses located in China. Durov noted that the attack coincided with the ongoing protests in Hong Kong, where people are using encrypted messaging apps like Telegram to avoid detection while coordinating their protests.

The attack raises questions about whether the Chinese government is attempting to disrupt the encrypted messaging service and limit its effectiveness as an organizing tool for the hundreds of thousands of demonstrators taking part in the protests. Bloomberg reports that encrypted messaging apps like Telegram and FireChat are currently trending in Apple’s Hong Kong App Store, as demonstrators attempt to conceal their identities from Hong Kong’s Beijing-backed government.

Screen Shot 2019-06-13 at 16.32.38

As well as using encrypted messaging apps, Bloomberg notes that protesters in Hong Kong are also covering their faces to avoid facial recognition systems. They’re also avoiding the use of public transit cards that can link location to identities.

Telegram’s Twitter account said that the service had been hit with “gadzillions of garbage requests,” mostly from IP addresses originating in China, as part of the DDoS attack which had stopped the service from being able to process legitimate requests from users. It said that these garbage requests tend to be generated by botnets, networks of computers infected with malware. “This case was not an exception,” Durov tweeted without elaborating.

One of the perpetrators of the 2015 TalkTalk cyber hack has been sentenced to four years in prison for his role in the attack.

 22-year-old Daniel Kelley, from Llanelli, South Wales, who also suffers from Asperger’s syndrome, originally pleaded guilty to 11 hacking-related offences in 2016.

Judge Mark Dennis sentenced him at the Old Bailey to four years’ detention in a young offenders institution. Judge Dennis said Kelley hacked computers “for his own personal gratification”, regardless of the damage caused. Kelley went on to blackmail company bosses, revealing a “cruel and calculating side to his character”, he said.

TalkTalk experienced three significant cyber attacks in 2015, resulting in a leak of the details of over 150,000 customers. The company hired the cyber arm of defence contractor BAE Systems to investigate the breach.

Kelley’s hacking offences also involved half a dozen other organisations, including a Welsh further education college, Coleg Sir Gar, where he was a student.

His actions caused “stress and anxiety” to his victims, as well as harm to their businesses, with the total cost to TalkTalk from multiple hackers estimated at £77m.

Between September 2013 and November 2015, Kelley engaged in a wide range of hacking activities, using stolen information to blackmail individuals and companies. Despite attempts at anonymity, his crimes were revealed in his online activities.

In September 2012, he boasted on Skype that he was “involved with black hat activities and I can ddos (Distributed Denial of Service)” in reference to malicious hacking. Commenting on what he was doing, he wrote on an online forum: “Oh God, this is so illegal.”

The court heard how Kelley was just 16 when he hacked into Coleg Sir Gar out of “spite or revenge”. The DDoS attack caused widespread disruption to students and teachers and also affected the Welsh Government Public Sector network, which includes schools, councils, hospitals and emergency services.

After he was arrested and bailed, Kelley continued his cyber-crime spree for a more “mercenary purpose”. Prosecutor Peter Ratliff said Kelley had been “utterly ruthless” as he threatened to ruin companies by releasing personal and credit card details of clients.

He hacked into TalkTalk and blackmailed Baroness Harding of Winscombe and five other executives for Bitcoin, the court heard.

However, he only received £4,400 worth of Bitcoins through all his blackmail attempts, having made demands for coins worth over £115,000.

Source: https://eandt.theiet.org/content/articles/2019/06/talktalk-hacker-sentenced-to-four-years/

Global communications service providers, whose businesses are predicated on continuous availability and reliable service levels, are struggling to fend off a growing number of DDoS attacks against their networks. A lack of timely and actionable intelligence is seen as a major obstacle to DDoS protection, according to A10 Networks.

The critical need for DDoS protection

The A10 Networks study conducted by the Ponemon Institute highlights the critical need for DDoS protection that provides higher levels of scalability, intelligence integration, and automation. Some 325 IT and security professionals at ISPs, mobile carriers and cloud service providers participated in the survey.

According to the report, entitled “The State of DDoS Attacks Against Communications Service Providers,” these service providers have major concerns with DDoS resilience readiness with only 29 percent of respondents confident in their ability to launch appropriate measures to moderate attacks.

DDoS attacks targeting the network layer are the most common form of attack—and the most dangerous to their business, according to respondents. These attacks flood the network with traffic to starve out legitimate requests and render service unavailable. As a result, service providers say they face a variety of consequences, the most serious being end-user and IT staff productivity losses, revenue losses and customer turnover.

85 percent of survey respondents expect DDoS attacks to either increase (54 percent) or remain at the same high levels (31 percent). Most service providers do not rate themselves highly in either prevention or detection of attacks. Just 34 percent grade themselves as effective or highly effective in prevention; 39 percent grade themselves as effective or highly effective in detection.

DDoS intelligence gap

The DDoS intelligence gap was highlighted by a number of survey findings:

  • Lack of actionable intelligence was cited as the number-one barrier to preventing DDoS attacks, followed by insufficient personnel and expertise, and inadequate technologies.
  • Out-of-date intelligence, which is too stale to be actionable, was cited as the leading intelligence problem, followed by inaccurate information, and a lack of integration between intelligence sources and security measures.
  • Solutions that provide actionable intelligence were seen as the most effective way to defend against attacks.
  • The most important features in DDoS protection solutions were identified as scalability, integration of DDoS protection with cyber intelligence, and the ability to integrate analytics and automation to improve visibility and precision in intelligence gathering.
  • Communications service providers who rated their DDoS defense capabilities highly were more likely to have sound intelligence into global botnets and weapon locations.

“Communications service providers are right, both in their expectations for increased attacks and about their need for better intelligence to prevent them,” said Gunter Reiss, vice president, marketing at A10 Networks. “The continuing proliferation of connected devices and the coming 5G networks will only increase the potential size and ferocity of botnets aimed at service providers. To better prepare, providers will need deeper insights into the identities of these attack networks and where the weapons are located. They also need actionable intelligence that integrates with their security systems and the capacity to automate their response.”

At the same time, many service providers see DDoS protection as a managed service as a significant business opportunity, with a majority (66 percent) of providers saying they were either delivering DDoS scrubbing services or planning to do so. However, the high cost of delivering these services using legacy solutions and making them profitable was seen as a major impediment. Service providers are being forced to find modern approaches that can scale defense in a profitable way.

Other key findings

  • DDoS is seen as the most difficult type of cyber attack to deter, prevent and contain.
  • Cybercriminals who use DDoS attacks to extort money are considered the biggest risk to service providers, followed by those who use DDoS attacks as a smoke screen for some other cyber attack.
  • The network is significantly more likely to be attacked than other layers of a service provider’s infrastructure, such as the application and device layers.
  • A majority of respondents say they do not have actionable intelligence into DDoS-for-hire botnets or DDoS weapon locations around the world to help them protect their networks.

Source: https://www.helpnetsecurity.com/2019/06/07/communications-service-providers-ddos/

It is accepted that all states are vulnerable to cyber threats. Yet, a majority of states have yet to develop coherent cyber strategies or implement sufficient preventive measures. Despite the increase in severe cyber incidents directed at national power plants, companies and nuclear-related military equipment, the threat of cyber interference in national nuclear weapons systems is not being properly tackled. With multinational nuclear supply chains and nuclear command and control systems at risk of being compromised, this must be urgently addressed.

The more complex, the more vulnerable

Governments and legislators are struggling to keep pace with the rapid development of cyber capabilities. As military systems become more technically complex it would be easy to assume that they are more secure. The opposite is true. Increased automation and connectivity increases vulnerabilities to cyber attacks. Measures such as air-gapping a system (ie. de-connecting it from the internet) can fall short. A recent US Government Accountability Office (GAO) report assessed the cyber security of US weapons systems and found “mission critical cyber vulnerabilities in nearly all weapons systems […] under development.“ While the report does not make reference to any specific system type, one can reasonably assume that nuclear weapons systems are vulnerable to cyber attacks.

Possible kinds of cyber attacks

Cyber attacks can take many forms. Activities range from cyber espionage, data theft, infiltration of nuclear command, control and communications (NC3), denial of service/distributed denial of service (DoS/DDoS) attacks, false alarms (jamming and spoofing), sabotage and physical damage. When directed against nuclear weapons systems, in the worst possible case this may escalate to a deliberate or inadvertent exchange of nuclear weapons.

Another area of concern is the supply chain, comprised of any hardware and software components belonging to the nuclear weapons system, including NC3, platforms, delivery systems and warheads. The supply chain usually includes a string of companies and providers located in different countries with varying cyber security standards, which means there is room for manipulation and sabotage. Take, for instance, a computer chip produced in country A. If a vulnerability were inserted at the production stage it could then be remotely activated at a later point when the chip is integrated into the military system of country B. If the attacker happened to be an “insider“ with unlimited access to a military site, compromising military equipment could be easier. This could be done for instance through an infected USB drive when security standards in a military facility happen to be low, leaving the victim of the attack unaware of the manipulation up until it is too late.

Limited awareness of cyber risks to nuclear systems

There is a lack of awareness within the expert community and among decision-makers and a reluctance by states to implement measures such as common cyber security standards and the sharing of information on vulnerabilities. Among the nuclear weapons states, only in the United States have high-ranking officials, such as Gen. Robert Kehler (ret.) and Air Force Gen. John Hyten (STRATCOM), in two Senate Armed Service Committee hearings in 2013 and 2017 expressed their concerns about a potential cyber attack affecting the U.S. nuclear deterrent. One reason why decision-makers and governments are unwilling to take these steps could be that it seems too unrealistic or improbable a threat, merely belonging to the worlds of science fiction and doomsday scenarios. But there is no reason to assume that the warnings of the GAO, the U.S. 2017 Task Force on Cyber Deterrence or the Nuclear Threat Initiative (NTI) are exaggerated.

Certainly, there has not yet been a major cyber attack on a state-run nuclear weapons programme – at least none we have publicly heard of. But there are a string of examples of cyber interference in nuclear installations or parts of the supply chain related to them. These include: the Stuxnet attack in 2010 affecting over 15 Iranian nuclear facilities which slowed down the development of Iran’s alleged nuclear weapons programme; a massive cyber attack on Lockheed Martin in 2009 during which thousands of confidential files on the U.S. F35 Lightning II fighter aircraft were compromised by hackers (they were also able to see information such as the location of military aircraft in flight); the 2017 hacking of the THAAD missile defence system in South Korea; the 2009 Conficker Worm attack on the French Marine Nationale; a 2011 cyber espionage campaign on the French nuclear company Areva; and deep worries over the WannaCry virus possibly targeting parts of the UK Trident system in 2017.

What should decision-makers and policy-makers do?

Governments need to grapple with how to handle rapidly developing cyber capabilities. A critical first step is develop a better understanding of the threat, including by answering the following questions:

  • What are the possible targets within the entire supply chain, the nuclear weapons system itself and within the upgrades, modernization and maintenance processes? What kind of vulnerabilities do they have?
  • Who are the potential actors likely to carry out a serious cyber attacks? Which state, non-state actor or state-sponsored group would have (1) an interest and (2) the resources and capabilities?

All states possessing nuclear weapons, hosting NATO nuclear weapons on their soil, or running a civil nuclear programme should conduct annual assessments of the cyber resilience of all systems in question.

No less important is improved information sharing on possible and actual vulnerabilities and lessons learned with large technology companies, suppliers, vendors and manufacturers, and the implementation of common security standards. These companies are normally not keen to disclose information on vulnerabilities because of possible reputational damage or for fear of revealing details that potential hackers or competitors could exploit. Government and business must work closely together to overcome these challenges and address joint concerns.

Governments must also invest heavily in research activities in the framework of existing institutions such as the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE), the EU CBRN Centres of Excellence, or in cooperation with the European External Action service (EEAS), the United Nations (UNICRI) and, of course, within national cyber security institutions.

Governments and decision-makers of the nuclear-armed states should also publicly acknowledge that cyber security for nuclear weapons systems is a top tier priority for the safety and security of national military programmes. If the security of nuclear weapons is in question, this not only reduces their credibility and deterrent value but it also poses a massive safety and security risk. This is a risk that no government, population or company can or should manage alone.

Source: https://www.europeanleadershipnetwork.org/commentary/understanding-and-addressing-cyber-threats-to-nuclear-weapons-systems/

  • A denial of service attack, which involves overwhelming computer systems with information in a bid to take them down, successfully interrupted electrical systems in Los Angeles County and Salt Lake County in March, according to the Department of Energy.
  • The incident was a rare example of as against an energy utility, particularly in a high population area.
  • Denial of service attacks are relatively rudimentary, and unlikely to be the work of a nation-state, one expert told CNBC.

Electrical grid operations in two huge U.S. population areas — Los Angeles County in California, and Salt Lake County in Utah — were interrupted by a distributed-denial-of-service attack in March, according to the Department of Energy’s Electric Emergency and Disturbance Report for March.

The attack did not disrupt electrical delivery or cause any outages, the Department of Energy confirmed, but caused “interruptions” in “electrical system operations.” In this case, “operations” does not refer to electrical delivery to consumers, but could cover any computer systems used within the utilities, including those that run office functions or operational software.

Although the attack did not interrupt service, denial-of-service attacks are easily preventable, and most large organizations no longer consider them major threats. The fact that it succeeded calls into question whether the utilities are prepared for a far more sophisticated attack, as the U.S. government has warned about.

DDoS attacks used to be common, but are easily prevented

A Department of Energy official told CNBC, “DOE received a report about a denial-of-service condition that occurred at an electric utility on March 5, 2019, related to a known vulnerability that required a previously published software update to mitigate. The incident did not impact generation, the reliability of the grid or cause any customer outages.”

The incident, which happened between 9:12 a.m. and 6:57 p.m., also interrupted electrical system operations in Kern County, California, and Converse County, Wyoming.

Distributed denial of service, or DDoS, involves delivering a heavy stream of information and internet traffic, usually with the help of a network of hacked computers, to overwhelm the systems of a target.

DDoS attacks are one of the simplest forms of cyberattack to execute. They used to be very common, but there are common practices in place to prevent them, and most large organizations have practically eliminated them as threats. The fact that such an easily preventable attack succeeded against a system serving such a large electrical distribution area is cause for concern, especially because energy is one of the U.S. government’s most important “critical infrastructure” sectors, making these utilities subject to the strongest protections.

The DOE has not released any information on the origins of the attack. Several countries, including Russia, Iran and China, have been cited by U.S. government authorities as sponsoring attacks against the U.S. electric grid, often with the goal of infiltrating the network or gathering intelligence.

But a DDoS is a relatively unsophisticated type of attack, meant to take down a computer network quickly. That means the culprit could be almost anybody, from a single individual to a larger group.

“DDoS is the low-hanging fruit in the hacker world. It’s very loud and it’s easy to detect quickly. The ones that are operating at the nation-state level don’t need to use DDoS,” said Chris Grove, director of industrial cybersecurity at Indegy, a utility and industrial systems cybersecurity company. “If this was a nation-state attack, they wouldn’t pull off a DDoS attack to take it down, they’d probably do a better job.”

This is the first reported cyberdisruption by the Department of Energy in 2019.

Last year, the DOE reported four reported cyber-events. One of them, like the March 5 incident, caused interruptions of electrical system operations in Michigan’s Midland and Genesee counties. The other three were reported as “could potentially impact electric power system adequacy or reliability.”

Source: https://www.cnbc.com/2019/05/02/ddos-attack-caused-interruptions-in-power-system-operations-doe.html